Loading…
Audience: Intermediate clear filter
arrow_back View All Dates
Saturday, September 12
 

10:30am CDT

400 Detections, Zero Alerts: Why your Detection Program is flying blind
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
You have 400 detection rules in production. Your ATT&CK coverage heatmap looks great in a board deck. But how many of those rules actually fire when the technique executes today, not when they were written 18 months ago?
If you can't answer that, you don't have coverage. You have promises.
This talk tackles the gap between deploying detections and proving they work. Detection rules silently break all the time. Schema changes, parser updates, log source drift, over-tuning. Nobody notices because false negatives are completely invisible. No one complains when an alert doesn't fire. You only find out during an incident review or a red team engagement, and by then it's too late. Most detection engineering content focuses on writing better rules or building more coverage, but almost nobody is asking the harder question: how do you know the rules you already wrote still work?
The answer is detection regression testing: running known-good attack simulations against deployed rules on a continuous, automated basis and alerting when they stop firing. This session walks through an open-source pipeline (sigma-regression-testing on GitHub) that automates the full lifecycle. Write vendor-agnostic Sigma detections. Convert and deploy to Splunk via REST API. Map each rule to a specific Atomic Red Team test. Run automated suites that produce pass/fail reports. Every step runs in GitHub Actions CI/CD with zero manual intervention after a detection merges.
Beyond the tooling, this talk introduces detection SLAs: measurable commitments like "this rule fires within 5 minutes of execution" and "100% of Priority 1 ATT&CK techniques have a passing regression test at all times." They transform detection programs from vague coverage claims into defensible, auditable engineering practices.
Attendees will leave with a working framework they can clone and deploy immediately, along with a concrete methodology for measuring detection health and identifying blind spots. Everything shown is running in production. The code is public. The pipeline is real.


Speakers
avatar for Tyler Casey

Tyler Casey

Detection Engineer, SCYTHE
Tyler Casey is a seasoned Cyber Professional with over a decade of experience in Defensive Cyber Operations (DCO). Currently serving as Lead Detection Engineer and Deputy of SCYTHE Labs at SCYTHE, Tyler specializes in developing and implementing robust defensive cybersecurity measures... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Active Directory Post-Mortem: Assumptions vs Reality
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Active Directory Domain Services has been around for 26 years, making it far from a young technology - yet it is not going anywhere anytime soon. Most companies still rely on Active Directory as their primary identity provider and management solution. One might assume that after all these years we have already mastered securing Active Directory with best practices. However, the reality is often the opposite: many AD environments are still poorly secured, which keeps them a common target for attackers.
In this talk, I will demonstrate three important vulnerabilities that still exist in Active Directory and are either unknown or not discussed enough. We will challenge a few assumptions along the way:
  • If an account is locked out, can you still brute-force its password?
  • If a user is in Protected Users, is the NT hash truly out of reach?
  • When you use RDP (MSTSC), does it cache more than just fragments of your screen?
By the end of the session, you will learn that some common assumptions are wrong and that you must always test and verify security controls in practice. You will also leave with practical mitigations and best practices to secure your environment against these vulnerabilities and reduce their impact.
Speakers
avatar for David Horak

David Horak

Security Engineer & Founder, Horizon Secured
David Horák is a System Security Engineer and Team Leader with 8+ years of experience securing Windows infrastructures and Active Directory. He has delivered 30+ security assessments across SMB, enterprise, and critical infrastructure, giving him a strong perspective on what security... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

AI Failures in IR: A Field Guide to Filling the Gaps
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Every security vendor is shipping AI. Every IR team is under pressure to adopt it. And in the middle of a real incident, the gap between what AI promises and what it actually delivers becomes very concrete, very fast.


This talk is a field guide to that gap. Drawing on experience as an incident responder on T-Mobile's CIRT during Salt Typhoon and on the builder side developing AI tooling for IR, I'll walk through the specific ways AI underperforms when a breach is unfolding — hallucinated IOCs and timestamps, confident wrong answers, first-hypothesis lock-in, bias toward threat explanations over innocuous ones, lost evidence chains, context windows that collapse on real forensic data, and agents that can take down your SIEM because nobody throttled them.


For each failure mode, we'll cover why it happens, how to recognize it in tools you're evaluating or already running, and what mitigations actually hold up under incident pressure. Attendees will leave with a taxonomy of AI failure modes in IR, a set of sharp questions to ask any vendor (or internal build team) claiming to solve them, recommendations for how to solve them, and a clearer picture of how AI can augment responders versus where it quietly creates new risks.
Speakers
avatar for Alex Thomson

Alex Thomson

Incident Response Specialist, Spacewalk.ai
Alex has over 30 years of professional experience in cybersecurity, including building and leading SOCs and other secops teams. Most recently, he served on T-Mobile's CIRT — including during the Salt Typhoon intrusion — before joining Spacewalk, where for the past 1.5 years he's... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

AI-Assisted IR Without the Lies: A Browser Forensics Case Study
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Offensive security teams are deploying autonomous agents that chain vulnerabilities end to end without human intervention. Vulnerability researchers are using LLMs to discover and exploit zero-days at a pace no human team can match. AI is already on both sides of the fight, and the gap between organizations that harness it and those that do not is widening fast.
Incident responders have largely held back, and for a good reason.
In IR, a hallucination is not a minor inconvenience. A fabricated timeline entry, a missed lateral movement path, or a confidently wrong attribution can mean a backdoor stays in the network, exfiltrated data goes unaccounted for, or an organization remediates a fiction while the real compromise remains intact. The stakes are not just technical. IR findings increasingly inform legal proceedings, regulatory responses, and executive decisions. Forensic evidence analyzed by a system that invents facts has no place in that chain.
And yet: if AI can genuinely accelerate triage and scope analysis, the organizations we respond for recover faster. That matters.
In the past months, we have been solving the precision problem rather than avoiding it. We started with one concrete use case: browser forensics. Using a combination of skills and agents, we built a pipeline that accelerates artifact triage and timeline reconstruction on real engagements.
The pipeline fetches browser history directly from the endpoint regardless of OS, parses artifacts across Chrome and Edge, and searches for relevant entries based on the suspicious activity that prompted the investigation, whether that is a domain, a time window, or a combination of both. What previously required an analyst to manually locate, extract, and cross-reference browser databases is now scoped and surfaced automatically, with the agent linking findings back to the original investigation context.
In this talk, we walk through exactly how we built it, how we validated the outputs, where the model failed, and what we put in place to catch it. We will also share what we learned and how we plan to apply those lessons to other elements of IR going forward.
Attendees will leave with a clear picture of how to structure a skills and agents pipeline for forensic analysis, the specific validation techniques we used to constrain hallucinations, and a realistic sense of where AI-assisted IR is ready for production and where it is not.
Speakers
avatar for Kyle Henson

Kyle Henson

Security Engineering Team Leader, Daylight Security
Kyle is an incident response leader with more than seven years of experience in DFIR and threat intelligence. He is currently a Security Engineering Team Lead at Daylight, where he builds agentic security services such as MDR, threat hunting, and incident response that combine automated... Read More →
avatar for Aaron Hau

Aaron Hau

Security Engineering Team Leader, Daylight Security
Aaron is a security researcher with more than five years of experience across various aspects of Cybersecurity including Incident Response, Red Teaming and Security Research. He is currently a Security Engineering Team Lead at Daylight, where he builds agentic security services such... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Beyond the SIEM: Critical Governance and Architecture Decisions for Modern SOCs
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Modern Security Operations Centers (SOCs) have evolved from basic technical hubs into essential engines for risk management. Success requires a disciplined alignment of governance, architecture, and talent to ensure every action remains resilient and defensible. This session presents a structured methodology to balance high-level technical capability with fiscal responsibility and regulatory mandates. By evaluating SOC evolution through the lens of financial and legal risk, organizations can build a function that is both highly effective and accountable to the board of directors.


We begin by discussing why governance must precede tooling to avoid embedding technical debt into the center’s foundation. This involves identifying critical assets, defining precise operational scope, and mapping risks driven by regulatory frameworks and customer contracts. Once these boundaries are set, we explore how to design a technical backbone that eliminates unnecessary complexity. We will evaluate a tiered log strategy where a security data lake handles high-volume telemetry while the primary analytics engine is reserved for real-time, high-fidelity alerting. This strategic approach prevents cost escalation while providing the depth required for advanced automated workflows.


We also address workforce modeling, demonstrating how technology choices dictate staffing requirements. By examining the mathematical rule of five, we evaluate the requirements for sustainable 24/7 coverage while preventing analyst burnout. The session concludes by reviewing how these elements create a living function that leverages automated triage and standardized playbooks to reduce manual effort by 60–80%. Attendees will learn to formalize critical escalation paths and measure performance through a trinity of operational, contractual, and compliance metrics, ultimately validating defenses through structured training to maintain a proactive, intelligence-driven posture.
Speakers
avatar for Bart Stump,

Bart Stump, "Stumper"

Managing Principal, Coalfire
Bart Stump is a Managing Principal on the Threat Discovery Services team at Coalfire with over 19 years of experience. He specializes in identifying defensive gaps through threat hunting, cyber threat intelligence, and security tool gap analysis to implement robust defensive measures. For... Read More →
avatar for Jeremy Croghan

Jeremy Croghan

Director, Coalfire
Jeremy Croghan is a seasoned cybersecurity leader and Director of Business Resiliency at Coalfire with over 20 years of experience, including U.S. Marine Corps service. He specializes in aligning the complex regulatory requirements of any industry with organizational policies to ensure... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Building the Human Firewall: Why Security Awareness Must Precede the Workplace
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Cybersecurity conversations often begin inside corporate boardrooms and Security Operations Centers but by then, the foundation for risk is already set. In a world where digital native generations are entering the workforce, the strongest "human firewall" must be established long before an employee receives their first corporate login.
This session reframes cybersecurity education as a foundational life skill rather than a purely technical discipline. By shifting the focus from corporate compliance to early digital awareness, organizations can significantly reduce their long-term enterprise risk. We will explore how early exposure to core concepts like digital hygiene, social engineering, and the psychology of trust can create a culture of security that naturally extends into professional environments.
Drawing on practical insights from incident response and governance, risk, and compliance (GRC) frameworks, this talk will demonstrate the direct correlation between proactive digital literacy and a resilient defensive posture. Attendees will leave with a new perspective on training strategies that move beyond "checking the box" and toward a more intuitive, security-first mindset. This session is ideal for security leaders, educators, and anyone interested in the intersection of human behavior and defensive strategy.
Speakers
avatar for Nousheen Begum

Nousheen Begum

Cybersecurity Leader | GRC & AI Security | CISSP | VP, WiCyS Wisconsin | Board Member, ISACA Milwaukee & ISC2 Wisconsin, WiCyS Wisconsin
Nousheen Begum is a seasoned cybersecurity professional with over 10 years of experience in Security Operations (SOC), Incident Response, and GRC. She holds an M.S. in Cybersecurity from the University of Illinois Springfield and is a CISSP and CEH certified professional. Currently... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

CISA’s Menu for Vulnerability Management
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Hungry for better cyber defense? Pull up a chair at CISA’s café, where vulnerability management is always on the menu! This talk will serve up a full tasting of best practices, international standards, and key initiatives that help organizations defend against today’s threats and enhance their cyber resilience. From tried-and-true favorites like CVE and the Known Exploited Vulnerabilities (KEV) catalog, to innovative new flavors including CSAF and OpenEoX, discover how the vulnerability management chefs at CISA lead efforts to streamline vulnerability disclosure, automate risk decisions, and overall secure U.S. critical infrastructure. Whether picking a la carte or sampling the whole menu, you will leave this talk with tasty insights and actionable recipes to boost your organization’s cyber defense posture…no reservations required!
Speakers
avatar for Justin Murphy

Justin Murphy

Cybersecurity Vulnerability Analyst, DHS/CISA
Justin Murphy is a Vulnerability Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s... Read More →
avatar for Julia Turkevich

Julia Turkevich

Cybersecurity Vulnerability Analyst, DHS/CISA
Julia Turkevich leads CISA's stakeholder engagement activities to recruit CVE Numbering Authority (CNA) partners that are committed to proactive and responsible vulnerability disclosure. As a member CISA's Vulnerability Management subdivision, Julia works to advance maturity across... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Containers Don't Lie. But Your Security Tooling Might Be Missing What They're Saying
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Container security is one of those topics that sounds solved. We've got image scanning. We've got runtime policies. We've got Kubernetes RBAC. So why are containers still showing up as the initial access vector in breach reports year after year?


Because most of our tooling is looking at the wrong things at the wrong time.


This talk is about shifting container threat hunting from reactive to genuinely proactive, not by buying another tool, but by understanding what behavioral signals containers are already producing and building detection logic around those signals.


I've spent years running Kubernetes at scale in production environments, managing security for platforms that can't afford downtime and can't afford breaches. What I've learned is that containers are actually quite chatty. Syscall patterns, network connection behavior, image layer anomalies, runtime drift. They tell a story. The problem is most teams aren't set up to read it.


In this session, I'll cover:


- The most common gaps between what container scanning tools report and what's actually happening at runtime
- Behavioral indicators that predict compromise before it escalates, drawn from real incident data
- How to build a lightweight threat hunting workflow using open-source tooling (Falco, eBPF-based detection, and custom OPA policies) that doesn't require a six-figure budget
- A demo of an open-source AI-powered Docker security analyzer showing how AI-assisted analysis can surface vulnerabilities that static scanners consistently miss


The demo portion will be hands-on. We'll start with a "clean" container environment that passes standard scanning, introduce an attack scenario, and then walk through how behavioral hunting catches what the scanners don't.


By the end, you'll have a practical hunting framework, a set of detection rules you can implement immediately, and a better mental model for where container defenses actually break down in the real world.


This is for defenders who are tired of being told their container stack is secure, and then watching alerts prove otherwise.
Speakers
avatar for Advait Patel

Advait Patel

Senior Site Reliability Engineer, Broadcom
Advait Patel is a Senior Site Reliability Engineer at Broadcom with experienced in securing large-scale cloud platforms across AWS and GCP. He holds an MS in Computer Science from DePaul University and is a Docker Captain and Google Developer Expert in Google Cloud.
Advait is an active contributor to the security community as a founding member of the OWASP AI Vulnerability Scoring System (AIVSS), creator of the OWASP-adopted open-source tool DockSec, and co-author of cloud security guidelines for CSA. He has authored two Springer books on GCP... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Defending the Hypervisor: Using Offensive Tooling to Validate vSphere Security
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
VMWare (Broadcom) represents the most commonly used enterprise Hypervisors.  This means a compromised vCenter or ESXi host gives attackers access to every virtual machine and credential in your my environment. Defenders often lack visibility into what a post-exploitation attack against the hypervisor layer looks like. So, I built a tool to find out.
  In this session, I'll walk through the real-world attack chains that threat actors use against VMware vSphere environments: extracting Kerberos keytabs and credential caches from ESXi  hosts, decrypting stored VPX database passwords to pivot across every managed host, dumping JVM heap memory from vCenter to harvest SAML tokens, and forging certificates using stolen VMCA private keys. These are the techniques behind campaigns and APT operations targeting virtualization infrastructure today.
The core of this talk is a live demo of VEXED (vSphere EXploitation Extraction and Detection), an open-source tool I developed to automate these attack chains against vCenter and ESXi. Starting from a single SSH session, I'll show how VEXED chains credential extraction through VPX password decryption to automatically pivot across an entire vSphere cluster — mirroring the lateral movement patterns we as defenders need to detect and prevent.
But I didn't build this as a red team tool. I built it to answer a blue team question: what should I be looking for? For each attack chain I demonstrate, I'll map the corresponding detection opportunities: what logs are generated, what telemetry to forward to your SIEM, and what hardening controls actually break the chain. I'll cover VEXED's built-in hardening audit module, which checks over 20 security configurations across ESXi and vCenter, giving you a repeatable way to validate vSphere security posture. I'll also walk through the interactive attack graph output that visualizes the relationships between compromised credentials, certificates, and pivot paths… something I've found quite useful when communicating to leadership.
 Attendees will leave with:
  - A clear understanding of the most critical vSphere post-exploitation attack chains and how to detect them
  - Practical SIEM detection logic for credential extraction, memory dumping, and lateral movement across vSphere infrastructure
  - A hardening checklist validated against real attack tooling, not just vendor best practices
  - An open-source tool you can run in your own lab to validate defenses before an attacker does
 
  This session is for SOC analysts, infrastructure security teams, and anyone responsible for defending virtualized environments. No prior vSphere security experience is required. Just a desire to understand what happens when the hypervisor layer is compromised and how to stop it.
Speakers
avatar for Darryl Baker, DFIRDeferred

Darryl Baker, DFIRDeferred

Senior Staff Security Researcher, Netwrix
Darryl Baker is a Senior Staff Security Researcher at Netwrix, where he focuses on identity security and emerging attack techniques targeting enterprise authentication systems. With a background spanning security research, consulting, and adversary simulation, he specializes in uncovering... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

email.telemetry.normalized: Detection Engineering Beyond the Inbox in Healthcare
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Email continues to be the most common initial access vector in healthcare environments, yet many organizations still rely primarily on email security gateways for detection and protection. While gateways provide an important first layer of defense, they often create visibility gaps once messages reach user inboxes. Attackers routinely exploit these gaps through techniques such as executive impersonation, credential harvesting, and business email compromise (BEC).


This session explores how extending email security beyond the inbox can significantly improve detection and response capabilities in healthcare environments. Based on real-world operational experience, the talk focuses on integrating third-party email security telemetry into a centralized SIEM using custom connectors and normalized log pipelines. By ingesting and analyzing this telemetry alongside other security signals, defenders gain deeper visibility into attacker behavior that may otherwise go unnoticed.


Healthcare environments present unique challenges compared to other industries. Clinical workflows, external vendor communication, patient interactions, and regulatory requirements often limit how aggressively organizations can block or restrict email activity. These constraints create opportunities for attackers who understand how healthcare communication patterns differ from traditional enterprise environments. This talk highlights several real-world attack scenarios observed in healthcare networks, including executive impersonation attempts targeting leadership staff and phishing campaigns leveraging newly registered domains or fake authentication portals.


Attendees will see how detection engineering techniques can be applied to email telemetry once it is normalized within a SIEM. Instead of relying solely on static gateway signatures, defenders can build behavioral detections based on patterns such as suspicious sender reputation, missing email authentication controls (DMARC, DKIM, SPF), domain anomalies, and abnormal message characteristics. Lightweight Sigma-style logic will be used to illustrate how these detection patterns can be implemented in a platform-agnostic way.


Beyond detection, the session will also demonstrate how SOAR workflows integrated with SIEM detections can automate investigation and response actions. Automated enrichment, alert triage, domain blocking, and credential reset workflows can significantly reduce analyst fatigue while improving response speed and consistency in high-volume healthcare environments.


This talk is grounded entirely in real-world incidents and production security operations rather than theoretical frameworks or vendor marketing. The goal is to provide practical guidance on how healthcare defenders can implement a defense-in-depth strategy for email security by combining gateway protections, SIEM-based detection engineering, and automated response workflows.


Attendees will leave with actionable ideas for improving email visibility, building stronger detection logic, and operationalizing email telemetry to better defend healthcare environments against modern phishing and impersonation attacks.
Speakers
avatar for Akash Parasumanna Sridhar

Akash Parasumanna Sridhar

Security Engineer, Campbell Clinic
Akash Parasumanna Sridhar is a cybersecurity professional working in healthcare environments, specializing in detection engineering, incident response, and security automation. He has hands-on experience designing SIEM-driven detections, integrating third-party security telemetry... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Entra the Dragon: Entra ID Red vs Blue
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Entra ID is the identity & access management system for the Microsoft cloud. Microsoft continues to add new features to Entra ID and many of these features provide attack capability. There are many moving parts and regular updates that requires attention to stay secure. This talk covers the latest attacks against the Microsoft cloud from phishing to account take-over to persistence as well as the best ways to defend against them. So go beyond Secure Score and level up your cloud security!
Speakers
avatar for Sean Metcalf

Sean Metcalf

Identity Security Architect, TrustedSec
Sean Metcalf  (@PyroTek3) is an Identity Security Architect with TrustedSec. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) Active Directory certification and is a former Microsoft MVP. Sean has presented on Active Directory... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Finding SOCKS with ProxyWatch
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Attackers increasingly use SOCKS proxies on intrusions to pivot through compromised networks and to keep their tools away from EDR. C2 frameworks like Sliver, Cobalt Strike, and Mythic make it simple to turn one callback into a gateway for the entire network. 


As defenders, we looked at existing guidance to find SOCKS proxies and found detections too narrowly focused on specific tools, or advice too difficult to implement for every possible technique an attacker could run through SOCKS. We looked at how to identify behaviors when a process acts as a SOCKS proxy, from endpoint and network telemetry, and created ProxyWatch, a tool to find SOCKS. This talk will cover our research process into how SOCKS works, why attackers choose to use SOCKS, ways to potentially identify SOCKS behaviors in your data, and introduce ProxyWatch as a tool that implements the signals we found. 


If you’re a defender, detection engineer, incident responder, or anyone curious about how these attacks work, we invite you to join in and learn how ProxyWatch can help you find SOCKS proxies.
Speakers
avatar for Brian Reitz

Brian Reitz

SpecterOps
Brian Reitz is a consultant for SpecterOps for the Adversary Detection team, working on detection engineering for a variety of clients. He previously worked in detection and response in healthcare, and pentesting, red team, and defensive work for public-sector and commercial clie... Read More →
avatar for John Wotton

John Wotton

Consultant, SpecterOps
John Wotton is a Consultant at SpecterOps specializing in adversary simulation, Active Directory, Physical Security, and EDR evasion. He focuses on custom tooling, offensive and defensive research, and helping organizations defend against advance persistent threats.
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Fortress in a Box: Enterprise-Grade Kubernetes Security for the Organizations That Can't Afford It
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
In 2022, the Red Cross was breached and data from 515,000 vulnerable people was exposed. Amnesty International was surveilled by state-sponsored attackers. Bellingcat, the group that documents war crimes, is a constant target of state actors trying to destroy evidence.
These organizations protect the most vulnerable, and have zero security budget to defend themselves.
This talk presents Fortress in a Box, an open-source, one-command Kubernetes security platform built specifically for NGOs, journalists, and human rights organizations. It implements four layers of defense-in-depth: CI/CD scanning with Trivy, admission control with Kyverno, real-time runtime threat detection with Falco, and GitOps self-healing with ArgoCD — fully configured, zero Kubernetes expertise required.
Attendees will see a live demo where Kyverno blocks an insecure deployment and Falco catches unauthorized container access in seconds, routing alerts directly to Discord — no SIEM required.
Takeaways: a clear understanding of how defense-in-depth works in Kubernetes, the specific policies that block the most common attack vectors, and how to deploy Fortress in their own infrastructure that same day.
Speakers
avatar for José Lorenzana

José Lorenzana

DevSecOps Student & Open Source Developer
A computer science student and DevSecOps practitioner focused on making enterprise-grade security infrastructure accessible to organizations that need it most. With hands-on experience in Kubernetes, containers, and cloud security, their work sits at the intersection of technical... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

From Compliance to Covert Ops: Demystifying the Offensive Security Landscape
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The most critical stage when using offensive security to improve defenses comes after obtaining leadership approval for a testing exercise. Current industry definitions have significant overlap, with the same term used to describe different underlying services, and with the added complication of AI-based offensive tools. Overshadowed by years’ worth of penetration tests exploiting the same set of techniques, or red teamers waltzing through the front door, driving lasting and impactful security improvements based on testing results continues to become less straightforward.


As an industry, we have accepted that using offensive testing is a good way to find gaps in our defenses. However, less attention is given to whether the type of testing chosen actually helps to systematically fix the gaps identified. This leads to problems like:
  1. Penetration tests continuing to surface the same class of findings as previous years, or the same finding in a different location.
  2. Organizations paying for advanced red team exercises while not having implemented foundational security controls.
The types of problems mentioned above arise because defenders often select offensive testing solutions based on the service "name". This leads to a mismatch between the type of offensive testing conducted and the defensive technologies that need to be validated. 


In this session, I will first provide a framework for defenders to categorize types of offensive security testing based on what their security controls will be tested against (attacks vs. adversaries) and how they will be tested (emulation vs. simulation). This framework helps defenders to:
  1. Understand what the core value proposition of each offensive security service is, independent of what terminology is used to describe it.
  2. Work bottom-up from the defenses you have to identify the most appropriate testing methodology.
Next, I will demonstrate how to use this model within attendees’ organizations to plan out an offensive testing program based on their threat model, security goals, and maturity. 


The goal of this session is to encourage attendees to think about offensive security from a new standpoint. By introducing a framework to categorize offensive testing methodologies with a primary focus on the security controls being validated, defenders will understand how to distinguish between the various offensive security services on the market, select the most appropriate solution for their organization, and progress between offerings as their security program matures.
Speakers
avatar for Sandun Bambarandage

Sandun Bambarandage

Service Lead, Breach & Attack Simulation, LevelBlue
Sandun is a Senior Consultant within the Security Advisory Services team at LevelBlue. He currently leads the Breach and Attack Simulation program, using atomic simulations of adversarial techniques at scale to validate the effectiveness of security tools and system configuration... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

From Hours to Minutes With StealerLens: LLM-Accelerated Infostealer IR for Overwhelmed SOCs
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Information stealer malware has quietly become one of the most consequential threats facing modern SOCs, with over 50 million stealer logs posted on underground channels in the last year alone. Each log is a comprehensive digital dossier on a single victim, and the sheer volume has created an analysis bottleneck that is impossible to address at scale.
This session opens with a technical deep dive into what an infostealer actually is and the strange artifact that is a stealer log. Beyond the obvious credentials and session cookies, stealer logs contain things defenders rarely expect: browser password manager extension data (BitWarden, Dashlane, KeePassXC), local KeePass vaults exfiltrated from disk, TOTP secrets leaked from Chrome extensions bypassing MFA, cryptocurrency wallet data, personal documents, and desktop screenshots captured at the exact moment of compromise. We will walk through the full attack surface and show why modern stealers are far more dangerous than "just a credential dump".
Buried inside each log are also forensic breadcrumbs left by the malware itself: execution paths, active processes, installed software, browser history, clipboard contents. These artifacts can reconstruct the infection vector and reveal the malware's behavior, but analyzing them manually takes hours per log. For an overwhelmed SOC triaging a steady stream of incidents, this analysis simply does not happen.
Building on our BlackHat USA 2025 work on LLM-based infection screenshot analysis ("Hackers Dropping Mid-Heist Selfies"), we introduce StealerLens, an LLM-powered forensic tool that collapses this workflow from hours to minutes. StealerLens uses a layered architecture where each log artifact (system info, software inventory, processes, browser history, clipboard, screenshots) is analyzed by a dedicated prompt. A final master prompt correlates the outputs into a cohesive infection narrative: likely source of infection, delivery vector, blast radius of exposed information, and pointing to the supporting evidence so the analyst can verify at a glance.
We will share the full prompt architecture, walk through real anonymized cases, discuss the limits we encountered across our test corpus. Attendees leave with a concrete blueprint for industrializing infostealer log analysis — and making room for the strategic work their SOC actually needs to do.
Speakers
avatar for Olivier Bilodeau

Olivier Bilodeau

Principal Cybersecurity Researcher, Flare
Olivier Bilodeau, a principal researcher at Flare, brings 15+ years of cutting-edge infosec expertise in honeypot operations, binary reverse-engineering, RDP interception and, more recently, fighting information stealer malware. Passionate communicator, Olivier spoke at conferences... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Game of Cones: Why Your Crisis Plan Shouldnt Melt Under Pressure
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Your incident response playbook is sitting on a server. The server just got encrypted. Now what?


Most organizations invest heavily in plans they never actually test: polished documentation, detailed runbooks, maybe a shiny new SIEM. Then a real crisis hits. Ransomware. A breach notification deadline. A regulator on line one and a journalist on line two. And everyone discovers, at the worst possible moment, that having a plan and having a practiced plan are two very different things.


This session draws on 18+ years of crisis management consulting across financial services, healthcare, and critical infrastructure — and a parallel career as a court-qualified expert witness in cybersecurity matters — to make one foundational argument: you cannot exercise your way to readiness during a crisis. You have to earn it before one arrives.


We'll start by untangling two exercise types that organizations routinely conflate. Technical Tabletop Exercises are built for your engineers and incident responders: deep, system-specific scenarios that evolve with each inject, stress-testing malware analysis, containment decisions, forensic timelines, and recovery procedures. Crisis Management Exercises are built for the people making the ransom pay/no-pay call at 2 a.m., fielding questions from the board, and deciding what to tell regulators before the mandatory notification window closes. Both matter. They serve different audiences, surface different gaps, and fail in different ways when neglected.


From there, we get practical. Using concrete inject examples drawn from real engagements, we'll examine what a realistic inject sequence actually looks like, how scenarios should evolve under pressure, and how to design exercises that surface real gaps rather than validate comfortable assumptions. We'll walk through common failure patterns: the outdated playbook nobody printed, the escalation path that dead-ends at a person who left the company, the executive team that spent the first 45 minutes of a simulated breach trying to figure out who was supposed to be talking to legal.


We'll also cover the human dimension that most exercise frameworks undercount: trust. You cannot know whether the person next to you will stay calm under real pressure until you've watched them handle simulated pressure. Exercises make your colleagues' behavior predictable. That predictability: knowing who steps up, who freezes, who asks the right questions, is what separates a coordinated response from organized chaos.


Attendees will leave with a practical framework for designing and running exercises that actually move the needle, a clear model for separating leadership-track and technical-track scenarios, and concrete guidance on building post-exercise debrief processes that drive iteration rather than just generating a report nobody reads.


One durable truth ties it all together: the calmest person in the room on the worst day of the organization's life didn't get there by accident. They practiced.


So should you.
Speakers
avatar for Richard Suls

Richard Suls

US Lead, Advisory Consulting, Reversec
Richard Suls is US Lead for Security Advisory Consulting at Reversec Consulting, where he designs and delivers crisis management exercises and technical tabletops for major financial institutions, healthcare organizations, and critical infrastructure operators. He brings 18+ years... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

It Started with an Employee. It Ended Inside Your AI: The Exposure Chain You Need to Understand
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
AI didn't just speed up reconnaissance. It connected dots that were never supposed to connect and most blue teams haven't caught up yet.
 
This talk walks through a single, end-to-end exposure chain so defenders can finally see what they're up against, and know exactly where to break it.
It starts with people. AI-powered OSINT pipelines aggregate and correlate employee data across LinkedIn, GitHub, forums, and breach databases in minutes, building behavioral profiles precise enough to generate hyper-targeted phishing lures at scale. But the exposure doesn't stop at individuals. The same reconnaissance that maps employees also maps the company: infrastructure, misconfigured services, and increasingly API endpoints leaked during LLM deployments. Production AI tools calling internal services, chatbots inadvertently surfacing internal documentation, LLM APIs left exposed during staging, these aren't edge cases, they're patterns blue teams are consistently missing.
 
From there, the path in is shorter than most teams think. Either a well-profiled employee gets phished into opening the door, or an exposed AI-connected service was never meant to be public in the first place. And once an attacker reaches an internal LLM: a security chatbot, an AI-assisted SIEM, an LLM-integrated IR tool, prompt injection becomes the final piece. Your AI doesn't know the difference between a legitimate query and a crafted instruction. Your analyst might not either.
 
We'll demonstrate each stage, then flip the lens entirely covering how defenders can map their AI exposure, harden LLM-integrated tooling, and break the chain before it completes.
 
Attendees will leave with:
  • Visibility into how AI-powered recon pivots from employees to exposed infrastructure
  • Awareness of LLM deployment patterns that unintentionally surface internal services
  • A framework for identifying prompt injection risks in security tooling
  • Actionable steps to audit and defend their AI attack surface
Speakers
avatar for Derick Johnson

Derick Johnson

Derick Johnson is a cybersecurity graduate student and practitioner specializing in the intersection of AI, large language models, and offensive security. His research focuses on two converging threats: how AI-powered tools are transforming open-source intelligence and reconnaissance... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

It Wasn’t Spoofed: Investigating Authenticated Email Abuse in Real Environments
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Not every incident starts with an alert.

Sometimes it starts with a confident assumption.

In this case, a suspicious email spread internally. The user reported they did not send it, and the client confidently assessed the message as spoofing.

It wasn’t.

Email header analysis revealed the message originated from within the organization (AuthAs: Internal) using legacy SMTP AUTH (AuthMechanism: 04), an authentication pathway that does not enforce MFA. Valid credentials were used, no alerts were generated, and the activity appeared legitimate.

With limited visibility, the investigation required correlating endpoint and infrastructure telemetry. Pivoting on domains associated with file retrieval revealed additional impacted systems beyond those initially reported.

The incident exposed gaps in both detection and control coverage. Mailbox forwarding rules enabled data exfiltration and were managed reactively rather than preventively, while authentication-based detection failed due to legitimate credential use. When questions arose around credential origin, validation had to be guided within the client’s own environment while maintaining privacy and access boundaries.

This talk provides practical guidance for defenders, including how to:
  • distinguish spoofed emails from authenticated internal activity using header analysis
  • identify authentication pathways where MFA is not enforced
  • pivot on DNS and endpoint telemetry to expand incident scope
  • detect and reduce risk from mailbox forwarding rules
  • validate potential credential exposure within appropriate privacy and access boundaries
  • investigate effectively when activity appears legitimate and generates no alerts
Attendees will leave with practical approaches for identifying and responding to attacks that bypass traditional detection by blending into expected behavior.
Speakers
avatar for Kelsey O'Connell, w0mbat

Kelsey O'Connell, w0mbat

Tier II MDR Analyst, Beazley Security
Kelsey (w0mbat) is a cybersecurity analyst focused on detection, investigation, and response, with an emphasis on cases where activity appears legitimate but is not. Her work spans endpoint, identity, and email telemetry, specializing in identifying subtle indicators of compromise... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Life After Tier 1: Rebuilding the SOC When Triage Is Outsourced
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
For many medium-sized enterprises, outsourcing Tier 1 triage to an MSSP is positioned to reduce workload, provide 24/7 coverage, and improve efficiency. In practice, it fundamentally reshapes how a SOC operates—and introduces new challenges that many teams are unprepared for.


Outsourcing Tier 1 doesn’t eliminate work—it redistributes it in ways most SOCs are not designed to handle.


This talk examines what happens after Tier 1 is removed. Organizations place significant trust in third-party providers, yet alert volume may decrease while investigation complexity increases. Context is often lost at handoff boundaries, and traditional metrics lose meaning, while new measures—such as mean time to confirm and escalation quality—become critical for understanding performance. Teams that fail to adapt quickly often find themselves with fewer alerts, but greater uncertainty and slower response.


Operational gaps also emerge when systems do not align with MSSP onboarding models. Custom telemetry sources, delayed parser development, and the gap between deployment and monitoring readiness introduce risk that must be actively managed.


Drawing on real-world experience leading a SOC through this transition, this session focuses on how to redesign operations for a post–Tier 1 model. We will explore how analyst roles must evolve from queue processors to investigators, why detection fidelity becomes the most important metric, and how to build feedback loops that continuously improve detection quality.


Attendees will leave with a practical framework for restructuring workflows, redefining success metrics, and improving detection precision.
This talk is designed for SOC leaders, detection engineers, and analysts navigating MSSP integration or considering outsourcing triage functions and aligns with both the Management/Leadership and Security Operations tracks.
Speakers
avatar for Stuart Fairchild

Stuart Fairchild

Senior Manager, Cybersecurity, C Spire
Stuart Fairchild is a Senior Manager of Cybersecurity at a regional telecommunications provider, where responsibilities include leading security monitoring, incident response, and security awareness programs supporting infrastructure for over one million customers. Work focuses on improving detection... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

MDR: From Vendor Shortlist to Security Partnership
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
In a saturated market, how can CISOs move past monitoring volume to evaluate Managed Detection and Response (MDR) providers based on their true ability to reduce exposure and drive proactive risk reduction?


How do you build a practical evaluation framework that balances technical visibility and response capability with commercial clarity and long-term consolidation potential?


What does is the difference between a provider that wins a contract, and a partner that actually strengthens resilience before, during, and after a crisis?
Speakers
avatar for Alan Simpson

Alan Simpson

Field CISO, Rapid7
Alan Simpson is Field CISO for the UK and Ireland at Rapid7, advising CISOs and senior leaders on cyber risk, resilience, and security strategy that supports business outcomes. Before joining Rapid7, he served as Global Security Operations Manager and Acting CISO at Keyloop, where... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Paving the Road for AI-Driven Security Teams
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
We are not a traditional SOC. Notion’s Detection and Response Team (DART) is a small group of engineers and incident responders. We build the systems our own team runs on, and we own them end to end.
AI changed how we work. Our answer has been to pave the road for agentic security work: an internal platform of harnesses, CLI tools, review steps, and guardrails that makes AI workflows predictable enough to run during a real incident, and safe enough for other security teams to build on top of.
We will cover three things:
  1. Setting up AI agents for triage and investigations in a way we actually trust
  2. The boring stuff that makes it work. Harnesses, CLI tools, and review steps so agent runs are repeatable and we can actually check what happened
  3. What that paved road unlocks, using security automations as the example. DART owns and runs the platform, so other security teams can ship new automations on top of it without having to learn the underlying infra
You’ll leave with the guardrails we actually use, patterns for making agent workflows deterministic, and the lessons we picked up scaling our automation and observability work.
Speakers
avatar for Joakim Pedersen

Joakim Pedersen

Detection and Response Engineer, Notion
Joakim is a Detection and Response engineer at Notion, focusing on detection engineering, incident response, and observability. With a background in offensive security, he brings an attacker mindset to defending cloud infrastructure at a global scale.
avatar for Britton Hayes

Britton Hayes

Detection and Response Engineer, Notion
Britton is a detection and response engineer building tools to keep security simple. Currently at Notion focusing on incident response, security automation, and detection engineering. Previously, he architected observability pipelines at Fortune 500 scale and secured Kubernetes infrastructure... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Secrets That Survive Everything: The Shift-Right Runtime Gap Left Unguarded
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
A bug bounty researcher found Azure credentials in a JavaScript file and 
marked the report informational. The credentials were live production values -
four Azure AD fields sitting in a public JS bundle, enough to authenticate as 
the application itself. The frontend had documented its own backend. Full 
account takeover. The application's token had been granted the ability to 
perform user-level operations, every account in the system was reachable. 
The organization had GitLeaks in CI/CD and static secret scanning on pull 
requests. The credentials were still live.


That was one chain. A second application used CryptoJS to encrypt its 
configuration, a common pattern in SPAs where developers believe encrypting 
the config protects it. The decryption key was hardcoded in the same 
JavaScript file, three lines away from the encrypted blob. The secret to 
unlock everything was sitting next to the lock. Same credential pattern at 
the end. Same result.


Shift-left tools scan what you commit. They do not scan what you serve. 
Build-time environment injection bakes live keys into webpack bundles that 
never touch the repository. CI/CD pipeline variable substitution materializes 
secrets only in the build artifact, after every scanner has run. SSR state 
blobs injected by Next.js and Nuxt carry credentials into HTML that no 
pre-deployment scanner ever sees. Once a secret reaches production, it 
disappears from every scanner's view. Sometimes that disappearance is 
engineered, developers suppress scanner alerts on credentials the application 
genuinely requires, trading automated monitoring for a green pipeline. The 
only things finding runtime secrets are manual penetration testers, bug bounty 
researchers, and attackers. Two of those three report what they find.


This talk walks through both exploitation chains in detail, maps the full 
shift-right gap in the security tooling landscape, and closes with a live 
demo using a purpose-built intentionally vulnerable healthcare portal, a 
HIPAA-branded application exposing Twilio, SendGrid, Stripe, and Firebase 
credentials in its public JavaScript files, and leaking internal service keys 
in response headers on every single request.


The demo uses SecretSifter, a free Burp extension, browser tool, and desktop 
app built for the runtime layer to find every secret passively, without 
configuration, as traffic flows.


Security teams leave with a clear picture of where their shift-left controls 
stop, a taxonomy of the six exposure mechanisms that bypass them, and a free 
tool they can deploy against their own applications the same day.


Speakers
avatar for Hemanth Gorijala

Hemanth Gorijala

Global Penetration Testing Lead
Hemanth Gorijala is an application security professional and penetration tester with 13 years of experience. He conducts web application security assessments and reviews vulnerability reports in enterprise bug bounty programs. The exploitation chains in this talk are drawn from his... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Security vs Product: A Professional Identity Crisis
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
For years, my instinct was to fix things. See an alert, chase the threat. Find a gap, build a detection. Witness an incident, contain and remediate. After a career built on DFIR, detection engineering, incident response, and sysadmin work, I was trained to be a solution machine, and I was good at it.


Then I became a Product Manager.
Everything broke.


Suddenly the job wasn't to solve the problem in front of me, it was to figure out whether I even had the right problem. The skills that made me dangerous in a SOC were quietly working against me in a product role. I was writing requirements that looked suspiciously like runbooks. I was treating user research like a post-incident review, assuming I knew the problems because I've been there before. Jumping straight to the five whys without sitting in the discomfort of not knowing yet.


This talk is the honest story of my first year as a Product Manager and what a decade in security taught me. Both the gifts and the baggage.
The gifts were real: I understood the users deeply because I was the user. I could cut through technical ambiguity, earn credibility with engineering teams fast, and spot when a "product problem" was actually an architecture problem in disguise. Threat modeling translated almost directly into risk prioritization frameworks. Log analysis taught me how to find signal in noisy customer feedback.


But the baggage was heavy too. Security work rewards decisive, fast, technical action. Product work rewards patience, ambiguity tolerance, and ruthless problem definition. The pivot from solution-first thinking to problem-first thinking didn't happen naturally, it had to be unlearned, deliberately and sometimes painfully.


In this session, I'll walk through the mental model shift that changed how I approach product decisions, the specific security habits that carried over (and why), the ones I had to consciously kill, and how I'm still learning to bridge both worlds. Whether you're a security professional curious about PM roles, a PM trying to work with security-minded engineers, or someone navigating a major career pivot, this talk is for you.
Speakers
avatar for Amanda Berlin, Infosystir

Amanda Berlin, Infosystir

Sr. Product Manager, Cybersecurity, Blumira
Amanda Berlin is the Sr. Product Manager of Cybersecurity at Blumira, where she leads product initiatives focused on XDR and response capabilities as well as incident detection engineering initiatives.
An accomplished author, speaker, and podcaster, Amanda is known for her ability to communicate complex technical concepts in a way that is accessible and engaging for audiences of all backgrounds. She co-authored an O’Reilly Media book Defensive Security Handbook: Best Practices... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Slaying the Sprawl: A Hero’s Guide to Building (or Re-Forging) a Cloud Security Program Without a 20-Person Guild
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Whether you are standing before a pristine, untouched Cloud Kingdom or inherited a crumbling fortress held together by "Native Tooling" duct tape and hope, the quest remains the same: How do you defend the realm without hiring an army you can’t afford? 


In this 40-minute campaign, we aren’t just looking at the map, we’re looking at the scars. Building a cloud security program from scratch is one thing; evolving an established one while the dragons are already circling is another. Drawing from real-world lessons learned in the DevOps trenches, this session explores the "Day 0" decisions and the "Year 2" regrets of choosing between Native Security Tooling and a unified CNAPP.


We’ll sit around the tavern table to discuss the hard-won truths of cloud defense:


- The "Free" Sword’s Hidden Cost: Real-life tales of how "built-in" tools led to siloed alerts, requiring a 20-person "manual correlation guild" just to find a single critical risk.
- Re-Forging the Armor: For those with established programs—how to transition from a "Franken-stack" of point tools to a unified platform without breaking the kingdom’s production.
- The "Agentless" Treaty: Lessons learned from the "Agent Wars." How moving to agentless visibility (the Rogue's Cloak) saved our DevOps relationships and gave us 100% visibility in hours, not months.
- The Multi-Cloud Map: Navigating the treacherous terrain of AWS, Azure, and beyond without losing your mind or your budget to "Console Swapping" fatigue.


Whether you are a Solo Adventurer starting a new program or a War-Weary Veteran trying to consolidate a sprawling one, you’ll leave with a battle-tested blueprint for a security program that scales with your magic, not your headcount, HUZZAH!
Speakers
avatar for Steve Turner

Steve Turner

Cloud Security Architect, Zelis Healthcare
Steve leads cloud security at Zelis Healthcare. He started his career through the trial by fire that is MSP life. He pivoted to securing everything from waste facilities and transportation infrastructure to huge financial services organizations and even mixed in some industry analysis... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Strength in Diversity: Building an Inclusive Cybersecurity Workforce
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The presentation “Strength in Diversity: Building an Inclusive Cybersecurity Workforce” explores how diversity across race, gender, sexual orientation, and neurodiversity strengthens cybersecurity by fostering innovation, resilience, and more adaptive defenses. It argues that cybersecurity is as much about people and perspectives as it is about technology, and that inclusion drives strategic advantage in addressing complex, evolving cyber threats.
The introduction sets the tone by positioning diversity not just as a social ideal but as a core element of operational effectiveness. It emphasizes that a broad range of lived experiences improves problem-solving and enhances anticipation of attacker behavior. A personal story titled “A Gay Man’s Journey Through Change and Resilience” illustrates this principle through a cybersecurity professional who endured discrimination and living through the AIDS crisis, eventually turning adversity into empowerment, mentorship, and advocacy for diversity in tech.
Data presented from 2023 industry studies—including (ISC)², CyberSeek, and ISACA—reveals progress and persistent gaps. Women comprise about 26% of the U.S. cybersecurity workforce, while approximately 62% of professionals identify as White. Black, Hispanic/Latino, and Asian professionals represent roughly 9–10%, 8%, and 17–18% respectively. Around 7–8% of cybersecurity professionals identify as LGBTQ+, and 5–10% are estimated to be neurodivergent. Leadership, however, remains disproportionately White and male.
Subsequent sections examine how specific forms of diversity enhance cybersecurity effectiveness. Racial diversity introduces broader cultural understanding and region-specific threat identification. LGBTQ+ inclusion fosters authenticity, psychological safety, and creativity—core elements of innovative problem-solving. Gender diversity improves usability, ethical awareness, and understanding of human vulnerabilities in security systems. Neurodiversity, though only briefly mentioned, provides unique cognitive strengths like pattern recognition and sustained focus, valuable in security analysis.
The presentation warns against “groupthink,” which arises in homogeneous teams and can blind organizations to unseen threats. Diverse teams, by contrast, challenge assumptions and expand awareness. The business case follows: data show that organizations with diverse teams outperform peers in innovation, responsiveness, and decision-making. In cybersecurity—where agility is essential—diverse perspectives directly translate into better incident response and threat intelligence.
Practical guidance focuses on dismantling systemic barriers such as implicit bias, inequitable advancement, and limited mentorship. Recommendations include inclusive hiring, employee resource groups (ERGs), leadership training on unconscious bias, and structured mentorship for underrepresented professionals. Building an inclusive culture requires active allyship, where leaders champion belonging and empower all employees to participate fully.
Looking toward the future, the presentation notes that global cyber threats demand culturally intelligent solutions and that younger, more diverse generations will reshape the field. The call to action urges professionals to recruit widely, support consistently, and lead inclusively. The final message encapsulates the presentation’s core thesis: diversity of people produces diversity of thought—creating stronger, more resilient cybersecurity defenses for all.
Speakers
avatar for Rick Hudson

Rick Hudson

CTO, Critical Path Security
Rick Hudson is currently the CTO (Chief Technology Officer) for Critical Path Security. Rick is a member of the InfraGard (InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Superposition, not Superstition
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
SUPERPOSITION WITHOUT SUPERSTITION
Why the foreseeable state of quantum computing is not a nightmare for security practitioners


In this illuminating talk, we’ll cut through the quantum hype to reveal why security professionals can approach quantum computing with informed confidence rather than panic.


While headlines scream about the imminent apocalypse of our cryptographic systems, reality paints a dramatically different picture. This presentation delivers a refreshingly sober analysis of quantum computing’s actual security implications, replacing fear with facts.


Key Insights:
Reality Check on Timelines
The horizon for practical cryptographically relevant quantum computers stretches far beyond sensationalist coverage, likely years or even decades before systems capable of breaking RSA or ECC at a meaningful scale materialize. Even then, these systems will initially be massive research facilities accessible primarily to nation-states, not everyday threat actors.


“Unless you’re a high-priority target for these select few actors with nation-state resources, should quantum computing really keep you up at night?”


Technical Hurdles That Won’t Disappear Overnight
We’ll dissect the substantial challenges quantum computing still faces, comparable to nuclear fusion energy, where “breakthrough announcements” often represent minimal progress in the greater journey. Error correction requirements, qubit coherence limitations, and scaling challenges aren’t merely engineering problems but fundamental physics puzzles requiring revolutionary solutions.


The Quantum Security Advantage
Discover how quantum technologies themselves offer robust security benefits through innovations like Quantum Key Distribution (QKD). Learn how the security community’s decades of preparation have yielded practical post-quantum cryptographic standards and hybrid approaches that organizations can implement today as part of sensible transition strategies.


Practical Preparation
Walk away with actionable insights on how to approach quantum-resistant security planning without overinvesting or underestimating. Learn which threats are real, which are exaggerated, and how to communicate quantum risks accurately to stakeholders and executives.


Join us for a reality-based assessment that replaces quantum superstition with quantum understanding, providing security practitioners with a practical perspective on this fascinating technological frontier. 

This session is ideal for CISOs, security architects, and security practitioners who need to separate quantum computing fact from fiction.
Speakers
avatar for Johnny Xmas

Johnny Xmas

Global Head of Offensive Security, Fortune 150 Food & Bev Manufacturer
Johnny Xmas, a prominent figure in the Information Security community since 2002, is a board member of both Chicago's famous BurbSec community, as well as its BSides312 conference. He's most notably recognized for his pivotal role in exposing the American TSA Master Key leaks (2014-2018... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Teaching AI to Analyze Malware: How to Encode Practitioner Expertise into an MCP Server
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
AI agents can reason about suspicious files, plan multi-step investigations, and write custom deobfuscation code when standard tools fall short. But generic models produce shallow, unreliable results because they lack practitioner knowledge about which tools to use and when, and access to the tools themselves.
Without domain expertise, an AI agent doesn't know that, for example, capa exit codes follow non-standard conventions, that YARA match counts require context to interpret, or that GetProcAddress appears in virtually every Windows program and is not inherently suspicious. Without tool access, it can only comment on malware but cannot investigate it.
This talk walks through my experience of building an open source MCP server, a standardized interface that connects AI agents to external tools, that bridges both gaps simultaneously. The server connects AI agents to my open source REMnux malware analysis toolkit, encoding practitioner knowledge into tool workflow sequencing and output interpretation. The server runs analysis at three depth levels, and manages context budgets when tool output exceeds approximately reasonable values by automatically switching to summary mode while preserving key findings.
The server also counteracts confirmation bias. Generic AI agents tend to label every API call as suspicious and every string as an indicator of compromise. The server's neutral framing prompts agents to consider benign explanations before concluding malicious intent. This is a critical safeguard when the AI chains dozens of tool calls without human review at each step.
Against real-world samples, the resulting system completed full investigations in about 10 minutes with 25-30 automated tool calls. In one case during my experimentation, the AI agent wrote custom Python to reconstruct a PE from file fragments. In another, it reverse-engineered a proprietary archive format and adapted when initial analysis approaches failed.
The talk covers what worked, what failed, and what surprised me. It addresses the security model required when AI agents have tool access, including prompt injection risks from malicious content in analyzed samples, container isolation as the primary security boundary, and data flow considerations.
Attendees leave with a reproducible pattern for encoding domain expertise into MCP servers, applicable to incident response, cloud forensics, network analysis, or any domain with specialized tools and practitioner workflows.
Speakers
avatar for Lenny Zeltser

Lenny Zeltser

Faculty Fellow, SANS Institute
Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

The Contextualization Gap: Why Your SOC Has the Data But Not the Story
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Security operations teams are not losing ground because they lack tools. They are losing ground because they have accumulated too many tools, each addressing a specific threat, each generating its own telemetry, with no architecture capable of connecting that data into a coherent, actionable picture of what is happening in the environment. The result is a team simultaneously overwhelmed by data and operationally blind to the threats moving through it. This is true for internal SOC teams and for MSSPs, and the burden manifests differently for each.


The core problem is structural: the five functions required to convert raw telemetry into a security decision, specifically aggregation, correlation, analysis, decision making, and execution, are not all human-speed functions. The first three demand machine-level speed and scale. 


1. Aggregation requires collecting and storing every data point from every endpoint and point solution, in raw form, before filtering occurs. 2. Correlation requires establishing real-time relationships across those data points at a scale no analyst team can match manually. 
3. Analysis requires assembling those relationships into a complete, contextualized picture of what is present, what it is doing, and whether it represents a threat. 


These three functions, performed at the volume and velocity modern environments generate, are beyond the operational capacity of any human element working without machine support.


Yet most organizations have humans attempting to manage all five steps, and both sides of the security operations equation pay for it.


Internal SOC teams silo the data conversation, leaving executive leadership, board members, and stakeholders without the context to authorize meaningful action. 


External providers face a version of the same problem: unable to build full context from fragmented data, they struggle to explain which data matters to the client, let alone guarantee the client is protected. They carry that uncertainty every day. 


In both cases, the human element absorbs the burden of functions it was never designed to perform, and the organization remains exposed.


This session presents the operational argument for a different architecture: one in which an AI and ML-driven security contextualization engine executes steps one through three against the full data lake in real time, and delivers the output (a contextualized, prioritized picture of environmental activity) to the human operator. 


The human element is not removed from the process. It is repositioned to the two steps where human judgment is irreplaceable: decision making and execution. The operator arrives at step four informed, not overwhelmed.


The session draws from documented deployments in resource-constrained environments, including a regional security operation that processed 35,331 threats, eliminated 351 classified at high severity, and maintained zero major security incidents, at 77% below the cost of an equivalent internal SOC. The outcomes were not produced by adding analysts. They were produced by correctly positioning the human element within the detection lifecycle.


Attendees will leave with a framework for auditing where their team is currently positioned in the five-step cycle, a model for what machine-executed contextualization makes operationally possible, and a practical starting point for closing that gap.
Speakers
avatar for Cyrus Walker

Cyrus Walker

Founder/CEO, Data Defenders
Thirty years of operational cybersecurity experience spanning municipal government, nonprofit, and healthcare sectors. Work includes forensic investigation, critical infrastructure protection, and the design and operation of shared regional security programs built for organizations... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

The Decision Engine: How to Rebuild Security Operations for an AI-Accelerated Threat Environment
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The queue-based SOC is not a slower version of the future.  It is a structural liability.  


For two decades, security operations has been measured by the wrong things; alert throughput, mean time to detect, SLA adherence.  These metrics are of a queue.  They assume that moving fast enough though enough alerts produces security outcomes.  That assumption has not survived contact with AI-enabled adversaries, exponential telemetry growth, and an accelerating compression of exploitation timelines. 


This talk is about what replaces it. 


The decision engine is not a product, a platform, or vendor pitch.  It is an operating model, a structural redesign of how a security function produces decisions rather than processes alerts.  The mission statement is simple: compress uncertainty faster than adversaries compress time.  Everything else, the detection discipline, the AI architecture, the metrics framework, the cryptographic risk model, is a design decision made against the standard. 


The session covers the three structural shifts that make the legacy model insufficient, the five components of the decision engine operating model, and what the transition looks like in practice, including what fails first, what the hardest organizational resistance looks like, and what early proof points tell you the model is working. 


Specifically attendees will leave with a clear mental model for evaluating their own organizations current posture, a diagnostic framework for identifying where the legacy model is already creating structural risk, and three concrete actions they can take immediately, regardless of budget cycle, platform status, or org structure. 


The talk also addresses the risk that receives the least attention in most security operations conversations: the shrinking half-life of sensitive data.  For organization holding data within multi-year regulatory retention obligations, long lived contractual confidentiality requirements, or enduring intellectual property value, the assumption that exfiltrated data cannot be weaponized for years is eroding.  The question that should be driving triage is not whether a breach occurred, its what the time-to-weaponization of the data involved is.  Most SOCs have no answer to that question.  This talk explains why that gap is a structural risk and what closing it requires.


This is not theoretical framework.  Every element described in this session has been built and validated in a production operational environment, under real constraints, against real adversaries.  The speaker is not standing at the front of the room as a vendor, an analyst, or an academic.  They are standing there as a practitioner who made the transition, knows what it costs, and knows what it produces.
Speakers
avatar for Ren Fellows

Ren Fellows

Manager Cyber Security Operations, REI Co-op
Ren Fellows is the Director of Threat Management at a Fortune 50 financial institution, with over 13 years in security spanning SOC build, large-scale incident response, and zero-day events. Ren's believes the way we've built and lead security operations is due for a fundamental... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

The End is Just the Beginning of Better Security: Enhancing Vulnerability Management with OpenEoX
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Persistent cyber campaigns continue to threaten both public and private sectors, with outdated, unsupported edge devices emerging as a prime target for Nation-state adversaries. End-of-Life/End-of-Support (EoL/EoS) technologies create enduring exposure across our Nation's critical infrastructure, prompting CISA's February 2026 Binding Operational Directive (BOD) 26-02 requiring federal agencies to identify and replace EoS edge devices, maintain current software, and patch known vulnerabilities when immediate replacement is not feasible. The presentation will also introduce OpenEoX, a new open source, machine-readable standard, developed by OASIS Open, that streamlines the exchange of product lifecycle data across software, hardware, services, and AI models, and explains how it enables automated, timely detection of EoL/EoS assets and seamless integration with existing tools and standards such as Software Bills of Material (SBOMs) and the Common Security Advisory Framework (CSAF). It will detail the benefits for government agencies, vendors and open source maintainers, downstream users, and the broader ecosystem, and show how OpenEoX adoption supports transparency and consistency at scale. The session will also outline actions to operationalize OpenEoX, such as publishing OpenEoX data publicly, integrating OpenEoX into scanners and asset platforms, and updating workflows to drive proactive replacement, patching, and upgrades for unsupported devices. The goal is coordinated adoption that reduces risk and strengthens security through a standardized, transparent, and automated lifecycle management framework.
Speakers
avatar for Justin Murphy

Justin Murphy

Cybersecurity Vulnerability Analyst, DHS/CISA
Justin Murphy is a Vulnerability Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

The Only Way to Win Is by Learning: Deception Design, Read Through a Comedy Game Show
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most deception technology fails the same way a bad magic trick fails: the audience can see the strings. A pristine honeypot, a too-obvious credential, a decoy environment without any of the messy human fingerprints of a real network — these tip off skilled attackers in the first thirty seconds of contact and then sit unused, generating no intelligence and no value.
This talk argues that the people who have already solved this design problem are, improbably, the writers of Dropout's Game Changer — a comedy game show where contestants don't know the rules, and where the host's entire job is to design environments that intelligent, adaptive people will inhabit fully while being watched. The parallels to defensive cyber deception turn out to be precise and useful.
Working through concepts including verisimilitude and "coherent imperfection," choice architecture and the path of least resistance, flow-state engineering for sustained engagement past the initial probe, nested observation layers modeled on the show's "Bingo" episode, and the counterintuitive Tularosa finding that announcing deception makes it more effective, this session translates game-design craft into practical honeypot, honeytoken, and deception-fabric architecture any defender can deploy.
Attendees will leave with a design checklist for building deceptive environments that sustain coherence under adversarial pressure, a vocabulary for evaluating commercial deception platforms against actual attacker psychology, and an argument for why the best deception operators are, in a real sense, game designers.
The talk is interactive. The audience is already playing.
Speakers
avatar for Dylan Shroll

Dylan Shroll

Security Engineer, Revology
Dylan is a cybersecurity engineer with six-plus years across healthcare, financial services, lottery, and logistics — everywhere the stakes are high and the regulations are higher still. She specializes in LLM-powered cyber deception operations and behavior-science-driven secur... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

The Second Front: Detecting LOTL Off the Endpoint
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Living-off-the-land (LOTL) isn't what it used to be. Blue teams have spent years tuning detections for the classic playbook - LOLBins, malicious macros, WMI abuse, PowerShell, etc. - and endpoint tooling has gotten pretty good at catching it. So, attackers moved.
LOTL is now operating across a second front: the identity and management plane, which spans hundreds (if not thousands) of SaaS apps and authorizations in an enterprise. Stolen session tokens, abused OAuth flows, device code phishing, and browser-native credential harvesting let adversaries operate entirely within sanctioned tools and legitimate traffic. 
Scattered Spider, and more recent evolutions like Scattered Lapsus$ Hunters, operate inside victim environments using legitimate SaaS APIs and identity tooling: SSO, MFA bypass via social engineering and post-auth attacks, and direct access to cloud management planes. In every case, the attackers aren’t hiding from EDR; they’re operating in the browser context where EDR doesn't see.
This “missing middle” is a structural gap: EDR owns the endpoint, and the IdP owns authentication events. But the space in between - the authenticated browser session, the OAuth token, the SaaS API call from a legitimate identity - belongs to no tool and appears on no dashboard. It’s a second front for LOTL, and most blue teams don't have a strategy for it because they don't have visibility into it.
This talk maps the evolution of LOTL techniques from endpoint to identities and SaaS, walks through the attack patterns that define the second front (AitM session hijacking, OAuth abuse, infostealer-to-IAB pipelines, MFA-resilient phishing infrastructure), and describes a practical detection framework that addresses both fronts simultaneously. We'll look at what telemetry sources actually exist for in-browser and identity-plane activity, how to build detection logic when you're pattern-matching against legitimate behavior rather than malicious binaries, and how SOC teams can prioritize coverage across two active fronts without exponentially increasing analyst workload.
Attendees will leave with a mental model for how these two LOTL fronts interact, a framework for evaluating their own detection coverage gaps, and concrete starting points for building detection programs that account for the full attack surface - not just the stuff that shows up in endpoint logs!
Speakers
avatar for Mark Orlando

Mark Orlando

Field CTO, Push Security
Mark is the Field CTO at Push Security, where he advances detection and response for in-browser threats. With 25 years of experience building and leading security operations teams at the White House, the Pentagon, the Department of Energy, and Fortune 500 companies, Mark has investigated... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Threat Intelligence at the Speed of Cyber Defense
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Cyber threat intelligence (CTI) is essentially a decision support function within cybersecurity. As such, CTI that cannot enable, improve, or otherwise facilitate a security action is of questionable value. This is often evaluated in terms of CTI relevance, applicability, or accuracy, but the relationship between CTI and security actions also demands investigation of another metric: timeliness. CTI that arrives too late for the supported decisions is functionally irrelevant.


In this discussion we will explore the implications of a time-oriented view for CTI production, dissemination, and integration into operationally-focused decision making. From this we will identify a key tension at the core of CTI analysis and production: that the SPEED at which CTI is produced and disseminated is often in conflict with the QUALITY or DEPTH of the produced CTI. Organizations cannot have immediate decision support on tactically-relevant timescales while simultaneously having deep context in the current environment. As a result, tradeoffs are necessary to both recognize and navigate in developing a relevant CTI function. Furthermore, evaluating CTI becomes a question of determining audience and customer needs, purpose, and response timelines to appropriately structure CTI support for the entity or specific decision maker in question.


To conclude this discussion, we will examine the possibility of eliminating (or at least reducing) this dilemma through technical means. Particularly future progress in the field of artificial intelligence may allow CTI functions to tap into mechanisms where context or detail and timeliness are no longer in direct conflict with one another, mapping out an effective and meaningful way for AI to support CTI and broader security functions.
Speakers
avatar for Joe Slowik

Joe Slowik

Director, Cybersecurity Alerting Strategy, Dataminr
Joe Slowik has over 15 years of experience across multiple cyber domains, from threat intelligence to detection engineering to incident response. Joe currently works as director for cyber alerting strategy at Dataminr, and has previously held roles at organizations including the MITRE... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Trusted, But Dangerous: Identity Abuse Through First-Party Apps in Entra
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Microsoft Entra environments rely heavily on implicit trust in Microsoft first-party applications, yet most defenders have limited visibility into how expansive that trust boundary truly is. With more than 4,000 Microsoft first-party app IDs, many operate as “ghost” applications: active in authentication and token issuance, but not clearly represented in enterprise application views or routinely monitored by defenders. This creates a significant blind spot in identity security.
This session explores how these trusted applications can be abused through Resource Owner Password Credentials (ROPC), Family of Client IDs (FOCI), and token issuance behaviors that extend access beyond what defenders typically expect. Rather than focusing on generic anomalous sign-ins, the talk centers on capability: the delegated scopes these applications request, the permissions they inherit, and how those access paths can be leveraged to persist and expand access within a tenant. These behaviors can be executed through standard Graph API interactions and demonstrate how ROPC can be leveraged to obtain tokens without interactive authentication and, in many real-world environments aligned with historical Microsoft guidance, results in effective MFA bypass conditions.
Attendees will learn how ROPC remains relevant in modern identity attacks, how first-party application trust complicates Conditional Access enforcement, and why policy evaluation differs between interactive and non-interactive authentication paths. The session also examines token lifecycle in depth, including how refresh tokens can persist for extended periods, how Continuous Access Evaluation (CAE) impacts enforcement, and why resetting user credentials does not necessarily revoke active access without additional token invalidation steps.
From a defensive perspective, this talk provides practical, immediately usable guidance. It includes KQL queries specifically designed to identify ROPC authentication activity, enumerate first-party application usage, and help defenders understand which client applications are requesting access and with what scope. It also covers Conditional Access policy considerations, validation techniques, and response actions to take during identity incidents involving token abuse.
A companion GitHub repository is included with ready-to-use KQL queries, detection logic, and example configurations. Attendees will leave with a concrete understanding of how first-party application trust can be abused, where visibility and enforcement gaps exist, and how to build effective identity-focused detection and response workflows in Microsoft Entra.
Speakers
avatar for Jon Haas

Jon Haas

Threat Hunter, Nationwide
Jon Haas is a Threat Hunter at Nationwide specializing in identity security, cloud detection engineering, and adversary tradecraft in modern SaaS environments. His work focuses on uncovering gaps in authentication controls, including OAuth abuse, first party application behavior... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Using Pentest Findings to Improve Detections
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most penetration test reports get filed and forgotten. SOC teams never confirm whether their alerts fired during the engagement, and adversaries keep reusing the same techniques. This session shows blue teamers how to digest a penetration test report and turn every pentest finding into a working detection.
We'll break down pentest reports from the SOC's perspective, focusing on the methodology sections where attacker behavior is documented with command line invocations, tooling, and attack narratives. We'll cover what artifacts to require from testers before the engagement begins, including timestamped command logs, source and target IPs, compromised accounts, and MITRE ATT&CK technique IDs.
Attendees will leave with a repeatable feedback loop for transforming pentest results into measurable detection improvements, supported by tools like Sigma, Atomic Red Team, VECTR, and Caldera.
Speakers
avatar for Ashley Knowles

Ashley Knowles

Cyber Security Analyst, Black Hills Information Security
As a Security Consultant, Ashley’s role is to perform network (internal/external), social engineering, and cloud penetration tests, as well as participating in red team assessments. Since joining the infosec community in 2013, she has developed and taught hacking classes, worked... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Vibe Check: Scaling AppSec in an AI-Driven World
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Scaling an AppSec program is hard enough in a traditional environment, but it gets exponentially more difficult when Sonny from Accounting decides to vibe code their own full-stack internal tool over the weekend and announces it in the company All Hands on Monday. The "Shift Left" movement promised to get in front of security breaches by thinking about security early in the development lifecycle, but AI has thrown that idea out the window. How do we shift left when teams are deploying demos in the time that it used to take to agree on basic design principles? Teams are shipping code faster than it can be reviewed and in an era when anyone who can write a mostly coherent thought can pump out an application, vibe coders are spinning up unreviewed shadow apps overnight.


The modern AppSec program has to adapt and scale without becoming a bottleneck. We have to focus on:

Automated Guardrails: Leveraging AI to secure the code that AI creates

Democratized Security: Extending AppSec to the vibe coding masses through self-service tooling.

Maintaining Quality at Speed: Using risk-based prioritization when the codebase is growing exponentially.

AppSec programs need to stop policing every line of code and start building resilient ecosystems where everyone, not just traditional software engineers, can build safely regardless of how they write their code.
Speakers
avatar for Cory Roop

Cory Roop

Director of Production Security, Invisible Technologies
Cory leads the Production Security function at Invisible Technologies. He’s a veteran engineer and leader who has scaled security programs for both healthcare firms and hyper-growth SaaS startups. He balances a "big picture" leadership style with a genuine love for the technical... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Vulnerability Management: The Leadership Playbook
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most vulnerability programs keep teams busy without reducing risk. Mean-time-to-remediate improves quarter over quarter while the total count of unpatched vulnerabilities climbs. The program optimizes a local maximum: patching speed. This talk presents four strategies for escaping the cycle, and the leadership behaviors each strategy requires.
Strategy 1: Shrink what needs protecting. Every decommissioned environment, consolidated tool, and disabled stale account is one less thing to scan, patch, monitor, or defend. Specific targets exist in every organization: SaaS products nobody canceled after a pilot, test environments that outlived their projects, overlapping tools acquired through inertia. Zero-based security budgeting surfaces surprising candidates for elimination and reframes security from cost center to cost-reduction partner. But decommissioning requires a shared source of truth. When security counts 200 SaaS applications, finance tracks 100 with purchase orders, and IT lists 50 in systems management tools, conversations stall. Building that shared reality across departments is the prerequisite for any attack surface reduction initiative.
Strategy 2: Look beyond scanning. Scanners miss configuration drift, exposed APIs, shadow infrastructure, and short-lived cloud resources that disappear between scan cycles. Pairing vulnerability scanners with endpoint agents, cloud security posture tools, systems management software, and identity providers gives a more accurate picture of what needs attention. This section also challenges the attackers only need to be right once myth. Map it against MITRE ATT&CK: attackers must succeed at reconnaissance, initial access, persistence, lateral movement, and exfiltration. Every stage, sequentially. Defenders disrupt one step. Architectural choke points like SSO create disproportionate defensive returns. Terrain knowledge compounds over time and is impossible for an external attacker to replicate.
Strategy 3: Prioritize with context. Base CVSS scores assume worst-case conditions and mislead patching teams. Combining exploitability data such as EPSS scores and CISA's KEV catalog with environment specifics, including network exposure, compensating controls, and data sensitivity, produces rankings that reflect actual risk. A CVSS 6.5 on an internet-facing authentication server often deserves faster action than a CVSS 9.0 on an isolated test box. When patching teams see priorities grounded in their reality, they trust the process and act on it. The job of a security leader is not to maximize security but to calibrate acceptable insecurity through criteria a business colleague would understand.
Strategy 4: Apply pressure without alienating the teams who do the work. Patching teams are measured on delivery velocity, not vulnerability metrics. Earning a seat in their planning sessions starts with understanding their constraints and what they are trying to ship this quarter. Allies often sit outside security and IT: General Counsel cares about legal exposure, product management about customer trust, finance about cost reduction. Frame requests in terms of their objectives, not your risk scores. If your assessment doesn't change the state of the organization, it hasn't reduced risk.
The talk closes with metrics that measure program health rather than activity, guidance on communicating vulnerability management to boards and executives, and five diagnostic questions attendees take home to assess whether their program is reducing risk or producing reports.
Speakers
avatar for Lenny Zeltser

Lenny Zeltser

Faculty Fellow, SANS Institute
Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

When the Package Is the Weapon: Detecting and Responding to npm Supply Chain Intrusions
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Your developers trust npm. Attackers figured that out before your detection stack did.
This talk is a ground-up forensic reconstruction of two real npm supply chain campaigns — the NX package compromise in late 2025 and the axios RAT campaign in March 2026 — told entirely from the defender's perspective. Not a theoretical exercise. This is what the logs actually looked like, what the tooling missed, and what finally surfaced the activity.
We walk through how a malicious git hook silently drops a RAT onto a developer endpoint the moment they run a routine yarn dlx command, why this technique is specifically engineered to stay quiet in standard endpoint telemetry, and what the attacker does next. The target isn't your servers. It's the MetaMask wallet sitting in your developer's browser profile and the seed phrases cached in their dotfiles. Cloud credentials are secondary — harvested and staged for resale while the crypto moves on-chain.
The second half of the talk is pure blue team. We'll share the Humio/LogScale query patterns that actually worked, the CrowdStrike telemetry fields that matter for this attack class, the detection gaps these campaigns deliberately exploit, and a hardening checklist your security team can hand directly to engineering.
Real IOCs and detection artifacts from live incident forensics will be released during the session.
You will leave with something you can use the same week.
Speakers
avatar for Mohit Bansal

Mohit Bansal

Senior Engineering Manager, Security Engineering, Webflow
Mohit Bansal leads a security engineering team spanning SecOps, Vulnerability Management, Enterprise Security, Incident Response and security tooling. He brings 10+ years of security experience across application security engineering and leadership roles at multiple high-scale technology... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Why Incident Response Plans Fail Under Pressure
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most incident response plans do not fail because the document is missing. They fail because people do. Under pressure, some teams panic and abandon strategy. Others choke, overanalyze, and freeze. In both cases, the plan may be technically sound, but human performance and cross-functional coordination break down.
 
This session explores why comprehensive IR plans still collapse in real incidents, even in organizations with mature security programs and well-documented procedures. Through breach case studies and practical lessons from high-pressure performance, we will examine what traditional tabletop exercises and compliance-driven training rarely test: legal pressure, executive escalation, media scrutiny, conflicting incentives, and the absence of pre-authorized decisions.
 
Attendees will leave with a practical framework for making incident response more resilient. We will cover how to reduce panic through cognitive offloading and automation, how to reduce choking through pre-authorized response paths and role clarity, and how to design adaptive simulations that force teams to make decisions under realistic pressure. We will also discuss how blameless postmortems turn failure into better instincts for the next crisis.
 
The goal is not a better-looking incident response plan. The goal is a response culture that still works when the facts are incomplete, the stakes are high, and every minute counts.
Speakers
avatar for Ron Dilley

Ron Dilley

CISO, Reflex Security
Ron Dilley works at Reflex Security as the Field CISO, focusing on technical evangelism, channel management, and community presence, while pushing the boundaries of what's possible in technology to deliver exceptional value for clients. He is also on the IANS Research Faculty, a speaker... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Your User, Their Rules: Rethinking the OS trust model for the AI-era
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Operating systems solved multi-user security decades ago: files have owners, permissions enforce boundaries, and one user's processes cannot tamper with another's data. But modern developer workstations are effectively single-user machines — and every process running as that user inherits the same trust. For years, this was a footnote. Today, it is the attack surface.


The explosion of AI-powered developer tools — IDE agents, MCP servers, lifecycle hooks, autonomous coding assistants — has turned local configuration files into high-leverage control planes. These tools store security-critical state (working directories, cluster credentials, session metadata, agent memory) in files and act on them without integrity validation due to assumed trust. The OS says "same user, same trust." The AI tool says "if it's in my config, I'll execute it." The result: any process running in the user's context — a compromised npm package, a malicious browser extension, a rogue VS Code plugin — can cause havoc: silently hijack an AI agent's behavior, redirect kubectl to an attacker-controlled server, or trigger recursive deletion of arbitrary directories to name a few.


In this talk, we present a systematic analysis of this trust gap through three original vulnerability disclosures across Docker Desktop, Lens Desktop, and Claude Desktop. In each case, the attack requires no privilege escalation, no kernel exploits, and no user credentials — only the ability to write to a JSON file that the OS considers perfectly authorized. We use these as case studies to examine a broader architectural problem: the classic OS segregation model was built for a world where "same user" meant "same human." In the age of AI agents, MCP servers, and autonomous tools, "same user" now means "same human plus every autonomous process acting on their behalf" — and processes don't necessarily verify whether the others are trustworthy.


We will dissect why this pattern keeps recurring (electron-store defaults, the absence of application-level integrity checks, the gap between OS-level and application-level trust), propose a threat model for "intra-user trust boundaries," and provide concrete detection and hardening strategies for security teams who need to defend developer endpoints where the OS permission model is necessary but no longer sufficient.


Speakers
avatar for Golan Myers

Golan Myers

Security Researcher, Bloom Security
Golan is a security researcher at Bloom Security, with previous experience as a researcher within the Cortex Cloud Posture Security research group at Palo Alto Networks, focusing on AI, identity, and data security.
avatar for Ofir Balassiano

Ofir Balassiano

Co-Founder, Bloom Security
Ofir is an experienced security researcher turned co-founder at Bloom Security. Led the Cortex Cloud Posture Security research group at Palo Alto Networks, focusing on AI, identity, and data security. Previously led the research group at Dig Security (acquired by PANW), served as... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

11:00am CDT

How We've Gone Completely Phishing-resistant (And So Can You!)
Saturday September 12, 2026 11:00am - 12:00pm CDT
Swissôtel Chicago
Phishing-resistant authentication is shifting from optional to mandatory. Not only are attackers using phishing as the primary mechanism to evade traditional forms of MFA, but they are also evolving their attacks to find ways around implementations where phishing-resistant auth is only preferred and not enforced. The road to deploying passkeys, Windows Hello for Business and Mac Platform SSO looks easy enough in the Microsoft docs, but what does it look like to implement them as mandatory across a workforce?

In this session we’ll cover how we went from a handful of FIDO2 keys to phishing-resistant authentication across our enterprise in Entra ID at breakneck speeds. We’ll explore the ins-and-outs from a technical and organizational perspective of the implementation, the gotchas we hit along the way, and how we overcame them. We’ll cover edge case scenarios, and how deploying passkeys is just part of the bigger equation to going phishing-resistant. We’ll also examine phishing attack trends we were seeing, which helped inform and shape policy so that phishing-resistant authentication isn’t an option – it’s the only option.
Speakers
avatar for Eric Woodruff

Eric Woodruff

Chief Identity Architect, Semperis
Throughout his 26-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity... Read More →
Saturday September 12, 2026 11:00am - 12:00pm CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk
 
Blue Team Con 2026
From $0.00

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date - 
Clear filter
Thursday, September 10
Saturday, September 12
Microsoft Technology Center (Aon Center)
Swissôtel Chicago
  • Talk
  • Training
  • Company
  • Abstract
  • Acalvio
  • Amazon
  • Beazley Security
  • Black Hills Information Security
  • Bloom security
  • Broadcom
  • C Spire
  • Campbell Clinic
  • Coalfire
  • CQURE
  • Critical Path Security
  • Data Defenders
  • Dataminr
  • Daylight Security
  • DHS/CISA
  • EXOS
  • First National Bank of Omaha (FNBO)
  • Flare
  • Fortune 150 Food & Bev Manufacturer
  • GetReal Security
  • Horizon Secured
  • Invisible Technologies
  • LevelBlue
  • Liberty Mutual Insurance
  • Nationwide
  • Netwrix
  • Notion
  • Pixee AI
  • Push Security
  • Rapid7
  • Reflex Security
  • Reversec
  • Revology
  • SCYTHE
  • Semperis
  • Spacewalk.ai
  • SpecterOps
  • StoneX
  • TrustedSec
  • Webflow
  • WiCyS Wisconsin
  • Zelis Healthcare
  • Audience
  • Advanced
  • Beginner
  • Early Career
  • Intermediate
  • Subject
  • Application Security / DevSecOps
  • Career Matters
  • Governance / Risk / Compliance
  • Management / Leadership
  • Physical Security
  • Resilience
  • Security Operations / Tools
  • Threat Hunting and Red Teaming
  • Threat Intel and DFIR
  • Vulnerability Management